Facebook Shadow Profiles: What You Need To Know

June 30, 2013

Facebook shadow profiles. You may have seen the term crop up on tech news sites this week, and it may given you the feeling it’s a nefarious privacy violation — or the first fun feature that Facebook has introduced in years.

But, seriously: Are shadow profiles real? Do I have one? Are they bad?

If you use Facebook, then the answer to all three of those questions is “yes.” Let’s take a trip into the shadowy recesses to learn more.

Why Are Shadow Profiles in the News?

Last Friday, just as most journalists were preparing to head home for the weekend, Facebookreleased some embarrassing news. A bug had exposed the private email addresses and phone numbers of 6 million users.

Though Facebook tried to downplay the significance of the bug, journalists forced to work on a weekend quickly realized there was more to the story than just another data leak: Many of the users whose email addresses and phone numbers were exposed had not knowingly shared that personal information with Facebook.

Instead, their contact information had been collected on the sly — stored in Facebook’s secret behind-the-scenes scaffolding, where it collects troves of data on you that you never knew about. That information comprises what’s known as your “shadow profile.”

Who Has a Shadow Profile?

Well, potentially everyone who has a Facebook account. They contain a certain amount of information you’re not surprised Facebook knows about you: your name, your interests, your relationship status, how many times you’ve liked your friends posts. But at the same time, Facebook has been able to sneakily collect other data about you. Even if you never told Facebook your phone number, for instance, it might have a record of it. As well as your second and third and fourth email addresses.

Where Did Facebook Get This Data?

Your friends! Or maybe even friends of friends. You can thank anyone who allowed Facebook to scan their mobile phone contacts through the “Find Friends” feature.

When someone uses this feature, Facebook downloads the phone’s entire contact book to its servers. This mostly includes emails and phone numbers. At the same time, Facebook is also collecting harder-to track data on how you and your friends (and friends of friends) are connected to one another. That’s how it finds people to recommend for its “people you may know” feature.

Facebook’s mobile app even provides the following message:

“Find Friends uploads contacts from your device and stores them on Facebook’s servers where they may be used to help others search for people or to generate friend suggestions for you and others.”

Do Non-Facebook Users Have Shadow Profiles?

It makes sense that, with all the contact lists uploaded to its servers every day, Facebook would be able to learn a whole lot of information about people who don’t even have Facebook accounts. But while it has stayed mum on shadow accounts as a whole, the company has asserted it does not collect information on people who don’t actually use Facebook.

Is That Legal?

In the United States, probably. Facebook mentioned collecting phone contacts in the Terms of Service that all users must agree to before using the site, so unless the company is collecting additional undisclosed information, users have already given consent.

But Europe’s data protection laws are much stronger. Max Schrems, the privacy rights advocate who founded activist group Europe v. Facebook, launched a complaint against Facebook’s European offices, headquartered in Ireland, citing seven different instances in which shadow profiles potentially violate the country’s Data Protection Act (read the PDF here). Schrems asserts that the profiles gathered “excessive amounts of information about data subjects without notice or consent by the data subject. In many cases these information might be embarrassing or intimidating for the data subject.”

How Long Has This Been Going On?

Facebook said that its user data has been leaking for over a year. It’s been catalogued at least since August 2011, when Schrems filed his complaint against the company. Facebook has had an iPhone app since August 2007, and the “Find Friends” feature launched on iPhone and Android in April 2011.

Should I Be Concerned?

There may be cause for concern, especially in light of the recent revelations regarding the National Security Agency’s intrusive spying campaign, PRISM. Facebook was one of nine companies the NSA made deals with to turn over information about users. Since Facebook won’t confirm that it hosts “shadow profiles,” it is unclear whether the information from shadow profiles could have also been passed along to the NSA. But it’s certainly possible.

In other words, you may have an email address that you’ve never listed anywhere for anyone else to see — but because one of your friends added it to his contact list, a snooping government agency may discover it.